Patch Issued for Actively Exploited Drupal Vulnerability

A patch for a vulnerability in Drupal (CVE-2017-6922) that has been activiley exploited for some months was released in June 2017. The flaw affects Drupal v 7.56 and 8.3.4.

Drupal was aware of the flaw, an access bypass vulnerability, since October 2017. It is possible for the flaw to be exploited on misconfigured websites, permitting unidentified users to upload files which are then stored in a public file system. This means that they can later be accessed by other anonymous users. In normal circumstances private files which are unattached to website content should not be accessible to any other individual than the user who uploaded the files. The vulnerability only impacts those websites which file uploads by unidentified or unknown visitors.

Drupal has stated that anonymous users were able to upload pictures or other files through webforms on a website that the administrator would not wish to be open to other individuals. The vulnerability is attractive to spammers and they have been exploiting for that purpose. Wrong-doers can direct search engines to those files or direct unsuspecting users to the files through their spam email campaigns.

Another flaw, in this case a critical improper field validation flaw (labled CVE-2017-6921) has also been repaired. This weakness would also permit a malicious person to upload files to a vulnerable site when the RESTful Web Services module has been enabled. The module made PATCH requests possible which would allow a user to register an account on the site with authorisation to upload files and change the file resource. The flaw can be found in Drupal core versions prior to the 8.3.4. edition.

A further Drupal vulnerability, CVE-2017-6920, which affects version 8.3.4 has also been rectified. The flaw is a remote code execution vulnerability that had been by security specialists as critical. The patch amends the way in which the PECL YAML parser deals with unsafe objects. This Drupal vulnerability may potentially be exploited on any unpatched Drupal versions which permit remote code execution. The vulnerability can be found in core versions 7.x prior to 7.56 together with 8.x versions prior to 8.3.4.